SYNC: fixed permission check, new permission test

2026-04-17 22:36:01 +00:00 · 2025-08-22 10:33:01 +02:00
parent 02a69ea6d9
commit ee40f32b0c
3 changed files with 46 additions and 8 deletions
--- a/e2e-tests/cypress/e2e/team.cy.js
+++ b/e2e-tests/cypress/e2e/team.cy.js
@@ -119,4 +119,27 @@ describe('Team edition tests', () => {
    cy.contains('Exporting query').click();
    cy.themeshot('auditlog');
  });
+
+  it('Edit database permissions', () => {
+    cy.testid('LoginPage_linkAdmin').click();
+    cy.testid('LoginPage_password').type('adminpwd');
+    cy.testid('LoginPage_submitLogin').click();
+
+    cy.testid('AdminMenuWidget_itemRoles').click();
+    cy.testid('AdminRolesTab_table').contains('superadmin').click();
+    cy.testid('AdminRolesTab_databases').click();
+
+    cy.testid('AdminDatabasesPermissionsGrid_addButton').click();
+    cy.testid('AdminDatabasesPermissionsGrid_addButton').click();
+    cy.testid('AdminDatabasesPermissionsGrid_addButton').click();
+    
+    cy.testid('AdminListOrRegexEditor_1_regexInput').type('^Chinook[\\d]*$');
+    cy.testid('AdminListOrRegexEditor_2_listSwitch').click();
+    cy.testid('AdminListOrRegexEditor_2_listInput').type('Nortwind\nSales');
+    cy.testid('AdminDatabasesPermissionsGrid_roleSelect_0').select('-2');
+    cy.testid('AdminDatabasesPermissionsGrid_roleSelect_1').select('-3');
+    cy.testid('AdminDatabasesPermissionsGrid_roleSelect_2').select('-4');
+
+    cy.themeshot('dbpermissions');
+  });
 });
--- a/packages/api/src/utility/hasPermission.js
+++ b/packages/api/src/utility/hasPermission.js
@@ -48,11 +48,14 @@ async function testConnectionPermission(connection, req, loadedPermissions) {
      return;
    }
    const conid = _.isString(connection) ? connection : connection?._id;
+    if (hasPermission('internal-storage', loadedPermissions) && conid == '__storage') {
+      return;
+    }
    const authProvider = getAuthProviderFromReq(req);
    if (!req) {
      return;
    }
-    if (!await authProvider.checkCurrentConnectionPermission(req, conid)) {
+    if (!(await authProvider.checkCurrentConnectionPermission(req, conid))) {
      throw new Error('Connection permission not granted');
    }
  } else {
@@ -215,11 +218,23 @@ const TABLE_SCOPE_ID_NAMES = {
  '-9': 'collections',
 };

-function getTablePermissionRole(conid, database, objectTypeField, schemaName, pureName, loadedTablePermissions, databasePermissionRole) {
-  let res = databasePermissionRole == 'read_content' ? 'read' :
-    databasePermissionRole == 'write_data' ? 'create_update_delete' :
-      databasePermissionRole == 'run_script' ? 'run_script' :
-        'deny';
+function getTablePermissionRole(
+  conid,
+  database,
+  objectTypeField,
+  schemaName,
+  pureName,
+  loadedTablePermissions,
+  databasePermissionRole
+) {
+  let res =
+    databasePermissionRole == 'read_content'
+      ? 'read'
+      : databasePermissionRole == 'write_data'
+      ? 'create_update_delete'
+      : databasePermissionRole == 'run_script'
+      ? 'run_script'
+      : 'deny';
  for (const permissionRow of loadedTablePermissions) {
    if (!matchDatabasePermissionRow(conid, database, permissionRow)) {
      continue;
@@ -286,7 +301,6 @@ async function testDatabaseRolePermission(conid, database, requiredRole, req) {
  }
 }

-
 module.exports = {
  hasPermission,
  connectionHasPermission,
@@ -298,5 +312,5 @@ module.exports = {
  getTablePermissionRole,
  testStandardPermission,
  testDatabaseRolePermission,
-  getTablePermissionRoleLevelIndex
+  getTablePermissionRoleLevelIndex,
 };
--- a/packages/web/src/elements/TableControl.svelte
+++ b/packages/web/src/elements/TableControl.svelte
@@ -199,6 +199,7 @@
  tabindex={selectable ? -1 : undefined}
  on:keydown={handleKeyDown}
  class:stickyHeader
+  data-testid={$$props['data-testid']}
 >
  <thead class:stickyHeader>
    <tr>